Professional Documents
Culture Documents
Chapter I
Ads by Google
Remote VPN
Cisco Pix 501 Config
VPN Howto
VPN Setup
In This Chapter
Chapter I
Configuring Cisco PIX Firewalls
Network Address Translation (NAT)
Accessing the PIX command line
Sample PIX Configuration: DHCP
How To Get Static IPs For DSL Cheaply
Sample PIX configuration: DSL - Static IPs
How To Configure Your PIX To Accept Telnet
How To Make Your PIX A DHCP Server
Basic PIX Troubleshooting
===========================================
Sometimes you may have a Cisco PIX 501 firewall protecting your DSL based home network. This chapter covers how to configure it
and in addition, there are a number of fully commented sample PIX configurations in the appendix in which each line is explained.
It is important to remember that the PIX 501 has two Ethernet interfaces. The named "outside" should always be connected to the
Internet and the one labeled "inside" should be connected to your home network. The "outside" interface may sometimes be referred to
as the "unprotected" interface and the "inside" interface is frequently referred to as the "protected" one.
Via Telnet
o One easy way to get access to any device on your network is using the /etc/hosts file. Here you list all the IP addresses of
important devices that you may want to access with a corresponding nickname. Here is a sample in which the PIX firewall
"pixfw" has the default IP address of 192.168.1.1 on its inside protected interface:
#
# Do not remove the following line, or various programs
# that require network functionality will fail.
#
127.0.0.1 localhost.localdomain localhost
192.168.1.1 pixfw
192.168.1.100 bigboy mail.my-site.com
o Once connected to the network you can access the PIX via telnet
o You'll be prompted for a password and will need another password to get into the privileged "enable" mode. If you are directly
connected to the console, you should get a similar prompt too. There is no password in a fresh out of the box PIX and simply
hitting the "Enter" key will be enough.
Password:
Type help or '?' for a list of available commands.
pixfw> enable
Password: ********
pixfw#
o Use the "write terminal" command to see the current configuration. You will want to change your "password" and "enable
password" right after completing your initial configuration, this will be covered later.
# wr term
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dsjf5sdfgsjrgjwk encrypted
passwd sdffg8324dgrggjd encrypted
hostname pixfw
fixup protocol ftp 21
...
...
o ALL PIX configuration commands need to be done in configuration mode, by issuing the "configure terminal" command from
enable mode prompt.
pixfw# conf t
pixfw(config)# "Enter commands here"
pixfw(config)# exit
pixfw#
o You can usually delete commands in the configuration by adding the word "no" to the beginning of the command you want to
delete. Some commands that can only have a single value won't accept a "no" to change them and will just be over-written
when you issue the new command.
In the example below, we change the PIX's name and then delete one of many access control list (ACL) entries attached to
the outside (Internet) interface.
pixfw# conf t
pixfw(config)# no access-list inbound permit tcp any any eq www
pixfw(config)# hostname firewall
firewall(config)# exit
firewall#
o One of the first things you should do is change the default passwords for the PIX.
pixfw# conf t
pixfw(config)# enable password enable-password-here
pixfw(config)# passwd telnet-password-here
pixfw(config)# exit
pixfw#
Note: The console password is the one used to gain access from the console or through telnet.
o When you've finished configuring, you can permanently save your changes by using the "write memory" command:
pixfw# wr mem
Building configuration...
Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342
[OK]
pixfw#
In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet,
you will have to set the default gateway on all your servers to be 192.168.1.1 You must be using PIX IOS version 6.2 or
greater for this to work.
o DHCP configuration for cable modems is much simpler, there is no password requirement like with regular DSL. The
command to let your PIX get a DHCP IP address from your ISP is as follows:
In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet,
you will have to set the default gateway on all your servers to be 192.168.1.1
In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will
have to set the default gateway on all your servers to be 192.168.1.1
Note: When you receive your own /29 allocation all the IPs are exclusively yours whether you use them or not. This can be viewed as
being wasteful in the eyes of some ISPs. Some service providers now use PPPoE with DHCP IP address reservations based on your
MAC address. It appears to be an attempt to conserve on IP addresses by placing many customers on a large shared network that
allows the ISP to add and subtract allocated IPs at will. This means that the ISP, and not its customers, are in possession of all
unused IP addresses.
Once configured, you will be able to hit your webserver using the firewall's outside interface's IP address as the destination. eg:
http://one-to-one-NAT-ip-address. Remember, it's not possible to hit your firewall's public NAT IP address from servers on your
home network. You'll have to ask a friend to check it out.
Here are some additional TCP ports you may be interested in:
Protocol Port
FTP 20, 21
SMTP Mail 25
Of course, if you change the IP address of the inside interface, you may have to change the statement above.
You can also allow access to the outside interface with a similar command. In the case below we're allowing access from the network
64.251.19.0. I generally wouldn't recommended this, but in some cases the need to do it is unavoidable.
As an added precaution, you can set the PIX to automatically log out telnet sessions that have been inactive for a period of time. Here
is an example of a 15 minute timeout period.
telnet timeout 15
...
...
pixfw#
Your basic physical connectivity should be OK if the interfaces are seen as being in an "up" state with line protocol being "up". If
line protocol is down, you probably have your PIX incorrectly cabled to the Internet or your home network.
If the interfaces are seen as "administratively down", then the PIX configuration will most likely have the interfaces configured as
being "shutdown" like this:
This can be easily corrected. First use the "write terminal" command to confirm the shutdown state. Then you should enter "config"
mode and reenter the "interface" command without the word "shutdown" at the end.
The "show interfaces" is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and
also the amount of traffic and errors associated with each.
Using syslog
A really good method for troubleshooting access control lists (ACLs) and also to view the types of methods people are using to
access your site is to use syslog. The Appendix has sample configurations for the PIX.
o default gateway that you can "ping". In the case above the gateway is 97.158.253.30.